Skip to main content

Why are brick-and-mortar retailers crumbling under hacker attacks?

target credit card theft warnings ignored exterior
Image used with permission by copyright holder

Over the weekend, high-end retailer Neiman Marcus admitted that hackers infiltrated its system and stole untold lists of credit and debit card numbers, along with other personal information belong to its customers.

The breach comes just days after Target said that hackers stole the payment data, addresses, phone numbers, and names of some 70 million customers – a number that may or may not include the roughly 40 million shoppers whose private data landed in hackers’ hands following the post-Thanksgiving spending spree.

“The recent Target attack was about stealing data.”

The bleeding does not stop there, however; according to Reuters, hackers have successfully breached the systems of “at least three other well-known US retailers.” We don’t yet know the identities of these outlets, but will undoubtedly find out soon.

Cyberattacks are nothing new, of course. What makes the Target and Nieman breaches so frightening for shoppers – at least, for this shopper – is that both attacks only affected customers who made purchases offline.

So why have have hackers suddenly turned toward brick-and-mortar retailers? How are they pulling it off? And is it possible that shopping offline is now less safe, or at least as risky, as shopping online?

Low-hanging fruit

Since Amazon.com launched in 1995, consumers have worried about hackers snagging their credit-card data from the Web – and rightly so. Retailers lost roughly $3.5 billion in e-commerce sales during 2012 due to credit card fraud, according payment processor CyberSource.

“If we measured fraud loss, payment fraud is three times higher online than it is offline,” says Loc Nguyen, vice president of marketing for fraud prevention firm Feedzai, which uses advanced machine-learning techniques to predict payment fraud. “Online has been traditionally thought of as less safe, but online shopping only accounts for 6 percent of spending, which equals $343 billion out of the $4 trillion in retail purchases.”

Neiman MarcusSo while online shopping may be considered less safe, offline retailers represent a far juicier target for cyber-thieves. “Just as bank robbers rob banks (because that’s where the money is at), professional fraud organizations go after offline environments because that’s where the card data are,” Nguyen says.

Historically, offline retailers have enjoyed greater protection from cyberattacks simply because their business transactions were less connected to the online world. But this is changing. Increasingly, the systems you use to buy online and offline are inexorably intertwined. And that’s a problem. 

Rise of the RAM scrapers

In recent years, hackers have begun using a type of malware known as a RAM scraper, which specifically targets brick-and-mortar retailers’ point-of-sale devices – digital cash registers, in other words. Reuters reports that the Target and Neiman Marcus hackers likely used sophisticated RAM scrapers to steal customers’ credit- and debit-card numbers.

RAM scrapers have been around for years, and target a payment security standard known as PCI-DSS, which is predominantly used in the US. While PCI-DSS requires that payment data is encrypted end-to-end, there is a brief moment – milliseconds – after you swipe when your card that the number and other data is in plain-text form, meaning anyone could read it during that instant. That’s all hackers need to steal the payment data and copy it to their list. 

“Payment fraud is three times higher online than it is offline.”

Using RAM scrapers makes perfect economic sense for hackers; not only can they pilfer far more credit card numbers at a time, but the wealth of data they obtain through a RAM scraper attack is more useful and valuable than what they can potentially take from online transactions.

“Going after point-of-sale gives the attackers an opportunity to collect credit card data in bulk,” says Roel Schouwenberg, Principal Security Researcher at cybersecurity firm Kaspersky Lab. “The attackers will also be hoping to have a higher success rate using cloned, physical cards rather than using cards online.”

Attacking point-of-sale also makes it possible to sell those card numbers to other criminals in a greater variety of forms, Schouwenberg says. “When trying to resell the stolen credit card data online, the attackers may also be able to sell into different underground markets, as the people dealing with cloned cards are not necessarily the same people dealing with online fraud,” he says. 

Bad connection

Twice last year, in April and August, Visa issued security alerts about the rise of RAM scrapers, warning retailers both times to separate their payment systems from other systems to help mitigate the risks of malware infections, and curb the amount of data that attackers could steal. But this isn’t happening – if anything, retailers’ systems are becoming more and more interconnected.

Target Red Card“Brick-and-mortar and online retailers are storing lots of information on consumers to make shopping easier and more personal; therefore, a swipe of a credit card at a store versus an online merchant is the same,” says Eric Chiu, president and co-founder of cloud security firm HyTrust. “Also, because of the density of data in today’s networks, thieves don’t just get some data – they get it all.” 

“The recent Target attack was about stealing data,” says Nguyen. “Data has and will continue to be the digital payment industry’s most valuable asset.” And because our offline and online shopping is becoming further entwined, we can only assume that cybercriminals will increasingly target both online and brick-and-mortar payment systems.

Nguyen adds, “As our lives gradually migrate onto the Internet, and consumers continue to embrace omnichannel commerce, so too will the criminals employing increasingly sophisticated attacks that cross channels so the notion of a relatively safer channel is fleeting.”

The big fix

The good news in all this is that credit card fraud has fallen over the past 20 years, “from 6.1 cents to 5.2 cents for every $100 spent,” says Nguyen, “so we can say that, overall, our money [is] safer than it has ever been.” Unfortunately, that’s talking percentages. During the same period, credit card use has increased – and so has the total number of dollars lost, from less than $2 billion annually to more than $11 billion, by Feedzai’s count.

“As the world moves away from cash, there’s just more electronic payment volume to be protected,” says Nguyen. 

Still, $11 billion is a lot of money. And protecting that money in an increasingly connected payment infrastructure likely requires retailers and payment processors to swap out the PCI-DSS standard for a whole new set of tools known as EMV.

Also called “Chip-and-PIN,” the EMV standard – named after its primary developers, Europay, MasterCard, Visa – uses cards with embedded microprocessors that require customers to enter a PIN to authenticate a transaction, rather than simply scribbling their signature on a piece of paper or digital payment pad.

“Because of the density of data in today’s networks, thieves don’t just get some data – they get it all.”

In the same warnings from last year, Visa urged companies to switch away from PCI-DSS to EMV, which has become the standard in the rest of the world. In fact, the US is the last major PCI-DSS holdout, meaning American customers are, according to experts, less safe than their counterparts in Europe and elsewhere on the planet. Why the mass migration to EMV? Because it’s much more secure – nearly four times as secure, according to PNC, which saw fraud loss on just 0.035 percent of EMV transactions in 2008, compared to 0.13 percent on signature-confirmed transactions during the same period.

“In Europe, we’ve witnessed a serious ramping-up of offline attacks over the course of the last few years. It took migrating to an EMV-only infrastructure to significantly curb the amount of incidents,” says Schouwenberg. “It’s plausible we’re going to see a similar pattern over here. With EMV adoption being few and far between in the US, it would likely take us longer to curb the amount of incidents.”

Additionally, security experts say retailers need to begin thinking about their entire payment network as though it could be breached at anytime – or possibly already has been breached.

“Given that attackers are getting more sophisticated, all merchants need to re-think their security model and focus on an ‘inside-out’ model of security, which assumes the bad guys are already on the network,” says Chiu.

Last two cents

As cybercriminals wage ever-sophisticated attacks, and US retailers scramble to institute new safeguards on their networks while migrating to an entirely new security standard, we customers must remain vigilant about protecting ourselves from the bad guys by watching our transaction histories like a hawk. The transition to the EMV standard not going to be easy, it will take a long time to get there, and still won’t be fool-proof. So if you’re looking for a quick fix, I can offer but one reliable suggestion: Use cash (and keep an eye out for pickpockets).

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
How to download a video from Facebook
An elderly person holding a phone.

Facebook is a great place for sharing photos, videos, and other media with friends and family. But what if you’d like to download a video to store offline? This means you’d be able to watch the clip on your PC or mobile device, without needing to be connected to the internet. Fortunately, there’s a way to download Facebook videos to your everyday gadgets, although it’s not as straightforward a process as it could be.

Read more
How to delete your Gmail account (and what you need to know)
The top corner of Gmail on a laptop screen.

Is it time to part ways with your Gmail account? Whether you’re moving onto greener email pastures, or you want to start fresh with a new Gmail address, deleting your old Gmail account is something anyone can do. Of course, we’re not just going to bid you farewell without a guide all our own. If you need to delete your Gmail account, we hope these step-by-step instructions will make the process even easier.

Read more
How to change margins in Google Docs
Laptop Working from Home

You may find that Google Docs has a UI that is almost too clean. It can be difficult to find basic things you're used to, such as margin settings. Don't worry, though, you can change margins in Google Docs just like with any other word processor through a couple of different means.

Read more